The popular website content management system, WordPress has an important security patch out today that fixes an error left in the release of 4.8.2.

The default core installation of WordPress is not
directly affected, rather the bug is in a security function provided by
the core to plugins and themes. In other words, a bug in the core leaves
plugins and themes potentially at risk of being hacked, leading to
whole sites being hacked.

Also, crafting a patch to the address the blunder
without breaking tons of add-ons for WordPress turned out to be
problematic, delaying the release of
"WordPress versions 4.8.2 and earlier are affected by
an issue where $wpdb->prepare() can create unexpected and unsafe
queries leading to potential SQL injection (SQLi)," the official advisory
today warned. "WordPress core is not directly vulnerable to this issue,
but we’ve added hardening to prevent plugins and themes from
accidentally causing a vulnerability."

According to Anthony Ferrara, VP
of engineering at Lingo Live, WordPress 4.8.2 was released last month in
an attempt to shore up its $wpdb->prepare() code, but
that update was not coded particularly well. As well as not fully addressing the underlying
flaw, the update also broke "a metric ton of third-party code and sites –
an estimated 1.2 million lines of code affected," Ferrara said.

Ferrara immediately warned the WordPress team that
the 4.8.2 patch was insufficient and liable to break add-ons for the
software; we're told the project initially refused to take him
seriously. It only backed down – and prepared a better fix that doesn't
break everything, like version 4.8.3 – when he provided proof-of-concept
exploit code for the lingering hole, and threatened to go public, all
according to Ferrara.

"One of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible," Ferrara quoted the WordPress team as saying.